ISOGENY VOLCANOES 



ANDREW V. SUTHERLAND 



a; 

00 



Abstract. The remarkable structure and computationally explicit form of 
isogeny graphs of elliptic curves over a finite field has made them an important 
tool for computational number theorists and practitioners of elliptic curve 
cryptography. This expository paper recounts the theory behind these graphs 
and examines several recently developed algorithms that realize substantial 
(often dramatic) performance gains by exploiting this theory. 



1. Introduction 

A volcano is a certain type of graph, one whose shape reminds us of the geological 
formation of the same name. A typical volcano consists of a cycle with isomorphic 
balanced trees rooted at each vertex. 




Figure 1. A volcano. 



More formally, let £ be a prime. We define an l-volcano as follows. 

Definition 1. An l-volcano V is a connected undirected graph whose vertices are 
partitioned into one or more levels Vq, . . . , V4 such that the following hold: 

(i) The subgraph on Vq (the surface) is a regular graph of degree at most 2. 

(ii) For i > 0, each vertex in Vi has exactly one neighbor in level V$_i, and 
this accounts for every edge not on the surface. 

(iii) For i < d, each vertex in Vi has degree I + 1 . 

Self-loops and multi-edges are permitted in an ^-volcano, but it follows from (ii) 
that these can only occur on the surface. The integer d is the depth of the volcano 
(some authors use height). When d = only (i) applies, in which case V is a 
connected regular graph of degree at most 2. This is either a single vertex with up 
to two self-loops, two vertices connected by one or two edges, or a simple cycle on 
three or more vertices (the general case). Figure 2 gives an overhead view of the 
volcano depicted in Figure 1, a 3- volcano of depth 2. 



The author was supported by NSF grant DMS-1115455. 

1 



2 



ANDREW V. SUTHERLAND 




Figure 2. A 3- volcano of depth 2. 

We have defined volcanoes in purely graph-theoretic terms, but we are specifically 
interested in volcanoes that arise as components of graphs of isogenies between 
elliptic curves. Our first objective is to understand how and why volcanoes arise in 
such graphs. The definitive work in this area was done by David Kohel, whose thesis 
explicates the structure of isogeny graphs of elliptic curves over finite fields [21] . The 
term "volcano" came later, in work by Fouquet and Morain [13, 14] that popularized 
Kohel's work and gave one of the first examples of how isogeny volcanoes could be 
exploited by algorithms that work with elliptic curves. 

This leads to our second objective: to show how isogeny volcanoes can be used 
to develop better algorithms. We illustrate this with four examples of algorithms 
that use isogeny volcanoes to solve some standard computational problems related 
to elliptic curves over finite fields. In each case, the isogeny- volcano approach yields 
a substantial practical and asymptotic improvement over the best previous results. 

2. Isogeny graphs of elliptic curves 

We begin by recalling some basic facts about elliptic curves and isogenies, all of 
which can be found in standard references such as [22, 29, 30]. 

2.1. Elliptic curves. Let k be a field. An elliptic curve E/k is a smooth projective 
curve of genus 1, together with a distinguished fc-rational point 0. If k' / k is any field 
extension, the set E(k') of fc'-rational points of E forms an abelian group with 
as its identity element. For convenience we assume that the characteristic of k is 
not 2 or 3, in which case every elliptic curve E/k can be defined as the projective 
closure of a short Weierstrass equation of the form 

Y 2 = X 3 + aX + b, 

where the coefficients a,b G k satisfy 4a 3 + 276 2 ^ 0. Distinct Weierstrass equations 
may define isomorphic curves: the curves defined by Y 2 = X 3 + a-yX + b\ and 



ISOGENY VOLCANOES 



3 



Y 2 = + a 2 X + 62 arc isomorphic if and only if ai — u A a\ and 62 = u 6 bi for 
some u (the isomorphism is then defined over the field k(u)). 

Over the algebraic closure k, we may identify the isomorphism class of an elliptic 
curve E with its j -invariant 

4a 3 

which does not depend on our choice of a and b. Note that while j(E) lies in k, it 
only determines the isomorphism class of E over the algebraic closure k. Elliptic 
curves with the same j-invariant need not be isomorphic over k; such curves are 
said to be twists of each other. The j-invariants j(0,b) = and j(a, 0) = 1728 
correspond to elliptic curves with extra automorphisms. To simplify matters we 
will occasionally exclude these special cases from consideration. 

Every j G k arises as the j-invariant of an elliptic curve E/k: the cases and 
1728 arc addressed above, and otherwise if 

a = 3j(1728 - j) and b = 2j(1728 - j) 2 , 

then j — j(a,b). There is thus a one-to-one correspondence between the field k 
and the set of ^-isomorphism classes of elliptic curves. This is the vertex set of the 
isogeny graphs that we wish to define. 

2.2. Isogenies. An isogeny p : E\ — > E2 is a morphism of elliptic curves, a rational 
map that preserves the identity. Every nonzero isogeny induces a surjective group 
homomorphism from E\{k) to E 2 (k) that has a finite kernel. Elliptic curves related 
by a nonzero isogeny are said to be isogenous. 

The degree of a nonzero isogeny is its degree as a rational map (the zero isogeny 
has degree 0). We call an isogeny of positive degree n an n-isogeny. The kernel of an 
n-isogeny typically has cardinality n (such isogenics arc said to be separable) , and 
this is always the case when n is prime to the characteristic of k. We are primarily 
interested in isogenics of prime degree £ 7^ char k, and we shall only distinguish 
isogenies up to isomorphism, regarding isogenies <\> and <p as equivalent if <j> = <p o 1 
or (j) — l o ip, for some isomorphism l. 

There are two important facts about isogenies that we need. The first is that 
every finite subgroup of E\(k) is the kernel of a separable isogeny that is uniquely 
determined (up to isomorphism) [29, Prop. III. 4. 12], and this isogeny can be ex- 
plicitly computed using Velu's algorithm [36]. The second is that every n-isogeny 
ip : E\ — > Ei has a unique dual isogeny <p : Ei — > E\ that satisfies 

ipoip — ipoip — [n], 

where [n] is the multiplication-by-n map that sends P € E\{k) to nP = P + - ■ - + P; 
see [29, Thm. III. 6.1]. The dual isogeny <p has degree n, and [n] has degree n 2 . 
The kernel of the multiplication-by-n map is the n-torsion subgroup 

E[n] ={?£ E(k) : nP = 0}, 

and for n prime to the characteristic of k we have 

E[n] ~ Z/nZ x Z/nZ. 

For primes £ 7^ char k , there are £ + 1 cyclic subgroups in E[£] of order £, each of 
which is the kernel of a separable i?-isogeny. Every ^-isogeny ip from E arises in this 
way, since any point in the kernel of ip also lies in the kernel of ip o ip = [£]. 



4 



ANDREW V. SUTHERLAND 



Not every ^-isogeny ip: E — > E is necessarily defined over k; this occurs precisely 
when kertp is invariant under the action of the Galois group G = G&\(k(E[£]) / k) . 
The Galois group acts linearly on E[£] ~ Z/£Z x Z/£Z, which we may view as an 
F^- vector space of dimension two in which the order £ subgroups of E[i] are linear 
subspaccs. If G fixes more than two linear subspaces of a two-dimensional vector 
space then it must fix all of them. This yields the following lemma. 

Lemma 2. Let E/k be an elliptic curve and and let £ 7^ charfc be a prime. Up to 
isomorphism, the number of k-rational £-isogenies from E is 0, 1, 2, or £ + 1. 

2.3. The modular equation. Let j(r) be the classical modular function defined 
on the upper half plane H. For any r € H, the complex numbers j( T ) an d j{Nr) are 
the j-invariants of elliptic curves defined over C that are related by an isogeny whose 
kernel is a cyclic group of order N . The minimal polynomial <$>n(Y) of the function 
j(Nz) over the field C(j(z)) has coefficients that are integer polynomials in j(z). 
If we replace j(z) with X we obtain the modular polynomial <&at g Z[X, Y], which 
is symmetric in X and Y and has degree £ + 1 in both variables. It parameterizes 
pairs of elliptic curves over C related by a cyclic 7V-isogeny; the modular equation 
$at(X, Y) = is a canonical equation for the modular curve Yq(N) = To(N)\M.. 

When N is a prime £, every ./V-isogeny is cyclic, and we have 

(1) &t(.j(E 1 ),j(E 2 ))=0 j{E x ) and j(E 2 ) arc ^-isogenous. 

This moduli interpretation remains valid over any field of characteristic different 
from £. On the RHS of (1) we use j(Ei) to denote the fc-isomorphism class of Ei, 
and when we say that j{E\) and j(i?2) are ^-isogenous we mean that one can 
choose €-isogenous representatives E\ and E2 defined over k. Over C, the choice of 
representatives does not matter, but over a non-algebraically closed field such as a 
finite field, we must choose compatible twists. In practice this is easy to do. 

2.4. The graph of ^-isogenies. We now use the modular equation to define the 
graph of ^-isogenics over a field k of characteristic different from £. 

Definition 3. The £-isogeny graph Gg(k) has vertex set k and edges (ji, J2) present 
with multiplicity equal to the multiplicity of j 2 as a root of 

The vertices of Ge(k) are j-invariants, and its edges correspond to (isomorphism 
classes of) ^-isogenics. With the exception of and 1728, the in-degree of each vertex 
in Ge(k) is equal to its out-degree. Thus the subgraph of Ge(k) on fc\{0, 1728} is 
bi-directed, and we may view it as an undirected graph. For any fixed fc, the graphs 
Gi{k) all have the same vertex set, but different edge sets, depending on £. Given 
an elliptic curve E/k, we may view j(E) as a vertex in any of these graphs, a fact 
that has many applications. 

2.5. Supersingular and ordinary components. Over a field of positive charac- 
teristic p, an elliptic curve is supersingular if its p-torsion subgroup E[p] is trivial; 
otherwise it is ordinary. If E is supersingular, then so is any elliptic curve isogenous 
to E; it follows that Gg(k) is composed of ordinary and supersingular components. 

Every supersingular curve over k can be defined over a quadratic extension of /c's 
prime field, thus every supersingular j-invariant in k lies in F p 2 [29, Thm. V.3.1]. 
It follows that if E is supersingular, then the roots of <&i(j{E),Y) all lie in F p 2. 
Thus the supersingular components of Gi (F p 2 ) are regular graphs of degree £ + 1 . 



ISOGENY VOLCANOES 



5 



Remark 4 (Ramanujan graphs). In fact, Gi{¥ p 2) has just one supersingular 
component [21, Cor. 78], and it is a Ramanujan Graph [26], an expander graph with 
an essentially optimal expansion factor. This has cryptographic applications [8]. 

We are primarily interested in the ordinary components of Gi(k), since this is 
where we will find isogeny volcanoes. First we need to recall some facts from the 
theory of complex multiplication. 

2.6. Complex multiplication. An isogeny from an elliptic curve E to itself is 
called an endomorphism. The endomorphisms of an elliptic curve E form a ring 
End(-E) in which addition and multiplication are defined via: 



For any positive integer n, the multiplication- by-n map [n] lies in End(E), and we 
have [n]<j) = 4> + • • • + <f> = ruf) for all <f> G End(_E). Since [n] is never the zero 
endomorphism, it follows that End(-E) contains a subring isomorphic to Z, which 
we shall identify with Z. 

When End(_B) is larger than Z we say that E has complex multiplication (CM), a 
term that arises from the fact that over the complex numbers, endomorphisms that 
do not lie in Z may be viewed as "multiplication-by-a" maps for some algebraic 
integers a. Over a field of positive characteristic p, every elliptic curve has complex 
multiplication, since the p-power Frobenius endomorphism that sends the point 
(X, Y) to (X p , Y p ) does not lie in Z (because, for example, its degree is not square). 

When E has complex multiplication there are two possibilities: 



and in either case we say that E has CM by 0. The second case occurs if and 
only if E is supersingular, which is possible only in positive characteristic; we are 
primarily interested in the first case. It will be convenient to fix an isomorphism 
End(_E) so that we may regard elements of as elements of End(S) and vice 
versa; this can be done canonically, as in [30, Prop. II. 1.1]. 

The endomorphism algebra End°(i?) = End(S) <g> Q is preserved by nonzero 
isogenics. Thus if E has complex multiplication, then so does every elliptic curve 
isogenous E, but not necessarily by the same order 0. 

2.7. Horizontal and vertical isogenies. Let tp: E\ — > E 2 by an £-isogeny of 
elliptic curves with CM by imaginary quadratic orders 0\ and 02 respectively. 
Then 0\ =7L + t{L and 2 = Z + t 2 Z, for some n , t 2 € H. The isogeny tpoT 2 o tp 
lies in End(-Ei), and this implies that £t 2 <G 0\\ similarly, It\ € 02 • There are thus 
three possibilities: 

(i) 0\ = 02, in which case tp is horizontal; 

(ii) [0i : 02] = £, in which case tp is descending; 

(iii) [02 : 0i] = £, in which case tp is ascending. 

In the last two cases we say that tp is a vertical ^-isogeny. The orders 0\ and 02 
necessarily have the same fraction field K = End (^1) = End°(i?2), and both lie 
in the maximal order Ok, the ring of integers of K. 



(<P + p)(P) = cP(P) + tp(P) and (^)(P) = <t>(<p(P)). 




an order in an imaginary quadratic field, 
an order in a definite quaternion algebra, 



6 



ANDREW V. SUTHERLAND 



2.8. The CM torsor. Let E/k be an elliptic curve with CM by an imaginary 
quadratic order O, and let a be an invcrtiblc O-idcal. The a-torsion subgroup 

E[a] = {P£ E(k) : a(P) = for all a E a} 

is the kernel of a separable isogeny (p a : E — > E' . Provided that a has norm prime 
to the characteristic of k, we have deg(p a = N(a) = [O : a]. Because a is invertiblc, 
we must have End(i?) ~ End(-E'); thus ip a is a horizontal isogeny. 

If a and b are two invertible O-ideals then ip a f, — ip a y>b- Thus the group of 
invertible O-ideals acts on the set of elliptic curves with endomorphism ring O. 
When a is a principal ideal, we have E ~ E', thus there is an induced action of the 
ideal class group c\(0) on the set 

Ello(fc) = {j(E) : E/k with End(£) ~ O}. 

This action is faithful (only principal ideals act trivially), and transitive (see [30, 
Prop. II. 1.2] for a proof in the case that k = C and O = Ok, which may be 
generalized via [22, Ch. 10,13]). Provided it is non-empty, the set Ello(fc) is thus 
a principal homogeneous space, a torsor, for the group cl(O). The cardinality of 
Ello(fc) is cither or h, where h = h(O) = # c\{0) is the class number. Thus either 
every curve E/k with CM by O is defined over k, or none of them are. 

Remark 5 (Decomposing isogenies). The CM action allows us to express hor- 
izontal isogenies tp a of large degree as the composition of a sequence of isogenies of 
smaller degree. Even if o has prime norm, we may find that [a] = [pi • • • p s ] in cl(O), 
where the pi are prime ideals with norms smaller than a. Under the generalized 
Riemann hypothesis (GRH), we can find, in probabilistic subexponcntial time, an 
equivalence [a] = [pi • • -p s ] in which the pi have norms that are polylogarithmic 
in the class number h and s = 0(logh); see [9, Thm. 2.1]. This makes horizontal 
isogenies asymptotically easier to compute than vertical isogenies (this holds even 
without the GRH), which has implications for cryptography; see [5, 15, 16, 19, 20]. 

2.9. Horizontal isogenies. Every horizontal i?-isogcny cp arises from the action 
of an invertible O-ideal [ of norm £, namely, the ideal of endomorphisms a e O 
whose kernels contain the kernel of ip. If I divides the index of O in the maximal 
order Ok of its fraction field K, then no such ideals exist. Otherwise we say that O 
is maximal at £, and there are then exactly 



1 + 



^disc(iT)^ 



I is inert in K, 

1 I is ramified in K, 

2 £ splits in K, 



invertible O-ideals of norm £, each of which gives rise to a horizontal ^-isogeny. 
In the split case we have {£) — {■ I, and the [-orbits partition Ello(fc) into cycles 
corresponding to the cosets of ([[]) in cl(O). When [ is principal the ideal class [I] 
is trivial, which leads to self- loops in Gg(k). We can also have [I] = [I] even though 
[ 7^ [, which gives rise to double-edges in Ge(k). 

2.10. Vertical isogenies. Let O be an imaginary quadratic order with discrimi- 
nant D, and let O' = Z + lO be the order of index £ in O. To simplify matters, let 
us assume that O and O' have the same group of units {±1}; this holds whenever 
D < —4, and excludes only the cases O = and O = Z[( 3 ], which correspond to 
the special j-invariants and 1728 respectively. 



ISOGENY VOLCANOES 



7 



The map that sends each invertible C-ideal a to the invertible O-ideal aO pre- 
serves norms and induces a surjective homomorphism 

p: cl(O') -> cl(O). 

See [10, Prop. 7.20] for a proof in the case that O is the maximal order; the general 
case is proved similarly (cf. [4, Lem. 3] and [6, §3]). Under a suitable identification 
of the class groups cl(O') and cl(O) with their torsors Elle>/(fc) and Ello(fc), the 
vertical isogenies from Elle><(fc) to Ello(fc) correspond to the map from cl(O') to 
cl(O) given by p. To show this, let us prove the following lemma. 

Lemma 6. Let E'/k be an elliptic curve with CM by O' . Then there is a unique 
ascending l-isogeny from E' to an elliptic curve E/k with CM by O. 

Proof. The existence of E'/k implies that Elle>/(fc) is nonempty, and since O con- 
tains O', it follows that Ell (fc) is also nonempty. 1 

Let us suppose that there exists an ascending isogeny fa : E[ — > E\ , for some 
elliptic curve E[ with CM by O' . Twisting E\ if necessary, we may choose an 
invertible O'-ideal a' so that the horizontal isogeny <p a i maps E[ to E' . If we now 
set o = p(a') and let E by the image of <p a o fa, then E has CM by O, and there 
is a unique isogeny fa- E' — > E such that <p ° fa' = <Pa°<t>i, by [29, Cor. 4.11]. We 
have deg <p = deg ip a deg fa/ deg ip a > — I, thus <fi is an ascending f-isogeny. It follows 
that if any elliptic curve E[/k with CM by O 1 admits an ascending £- isogeny, then 
so does every such elliptic curve. 

We now proceed by induction ond= ^([Ok ■ O]). Let Dk = disc(if). For 
d = 0, every elliptic curve E/k with CM by O admits t+1 fc-rational £-isogenies, 
of which l + (2f) are horizontal. The remaining I — i^j-) > must be descending, 
and their duals are ascending £- isogenies from elliptic curves with CM by O'. It 
follows that there are a total of (£- (£f))h(0) ascending ^-isogenies from Ellcc (k) 
to Ell (fc). By [10, Thm. 7.24], this is equal to the cardinality h(0') of Ell /(fc). 
Since there is at least one ascending I- isogeny from each elliptic curve E'/k with 
CM by O', there must be exactly one in each case. 

The argument for d > is similar. By the inductive hypothesis, every elliptic 
curve E/k with CM by O admits exactly one ascending ^-isogeny, and since I now 
divides [Ok '■ O], there are no horizontal isogenics from E, and all ( of the remaining 
£-isogenies from E must by descending. There are thus a total of £h(0) ascending 
£-isogenies from Ell<3/(fc), which equals the cardinality h(O r ) of Elle>/(fc). □ 

It follows from the proof of Lemma 5 that there is a one-to-one correspondence 
between the graph of the function p and the edges of Gi(k) that lead from Ello' (k) to 
Ello(fc). Indeed, let us pick a vertex j[ e Eilo<(A;) and let j\ be its unique neighbor 
in Elle>(fc) given by Lemma 6. If we identify the edge in Ge(k) with the edge 

(lci(O')' lci(O)) m the graph of p, then every other edge in the correspondence is 
determined in a way that is compatible with the actions of cl(O') and cl(O) on the 
torsors Ello'(fc) and Elle>(fc). Under this correspondence, the vertices in Ellex(fc) 
that are connected to a given vertex v in Elle>(fc) (the children of v) correspond to 
a coset of the kernel of p, a cyclic group of order I — (^jf) generated by the class 
of an invertible O'-ideal of norm £ 2 ; see [6, Lem. 3.2]. 

^One way to see this is to note that k contains all the roots of the Hilbert class polynomial 
for O', hence it must contain all the roots of the Hilbert class polynomial for O, since the ring 
class field of O' contains the ring class field of O; see §3.4. 



8 



ANDREW V. SUTHERLAND 



2.11. Ordinary elliptic curves over finite fields. We now assume that k is 
a finite field ¥ q . Let E/¥ q be an ordinary elliptic curve and let tte denote the 
Frobenius endomorphism (X,Y) i->- (X q ,Y g ). The trace of Frobenius is given by 

t = tm E = q+l-#E(¥ q ), 

and tte satisfies the characteristic equation it e — tiTE + q = 0. As an element of the 
imaginary quadratic order O ~ End(£ l ), the Frobenius endomorphism corresponds 
to an algebraic integer with trace t and norm q. Thus we have the norm equation 

Aq = t 2 -v 2 D K . 

in which Dk is the discriminant of the field K — Q(-\/i 2 — 4q) containing O, and 
v = [O k : Z[tte]}. We have 

thus [Ok ■ O] divides v, and the same is true for any elliptic curve E/¥ p with 
Frobenius trace t. 
Let us now define 

Ell t (F,) = {j(E) : E/¥ q satisfies tr7r B = t}, 

the set of F p -isomorphism classes of elliptic curves E/¥ p with a given Frobenius 
trace t. By a theorem of Tate [35], E1L,(F 9 ) corresponds to an isogeny class, but 
note that Ell t (F g ) = EU_ t (F g ). We may write Ell t (F 9 ) as the disjoint union 

EUt(F,) = □ E11 (F 9 ), 

Z,[7T E ]COCO K 

whose cardinality is given by the Hurwitz-Kronecker class number H{Aq — t 2 ). 

2.12. The main theorem. We now arrive at our main theorem, which states that 
the ordinary components of Gi(¥ q ) are I- volcanoes (excluding the components of 
and 1728), and characterizes their structure. The proof follows easily from the 
material we have presented, as the reader may wish to verify. 

Theorem 7 (Kohel). Let V be an ordinary component of Gg(¥ q ) that does not 
contain or 1728. Then V is an l-volcano for which the following hold: 

(i) The vertices in level Vi all have the same endomorphism ring Oi. 

(ii) The subgraph on Vq has degree 1 + (^f) , where D = disc(Oo). 

(iii) If (2{r) > 0, then \Vq\ is the order of [I] in cl(O ); otherwise \Vq\ = 1. 

(iv) The depth ofV isd=v t {{t 2 - Aq)/D ) /2, where t 2 = {tnr E ) 2 forj(E) G V. 

(v) t\[0 K ■ Co] and [O t : O i+1 ] = t for < i < d. 

Remark 8 (Special cases). Theorem 7 is easily extended to the case where V 
contains or 1728. Parts (i)-(v) still hold, the only necessary modification is the 
claim that V is an I- volcano. When V contains 0, if V\ is non-empty then it contains 
\{l — (-f)) vertices, and each vertex in V\ has three incoming edges from but 
only one outgoing edge to 0. When V contains 1728, if V\ is non-empty then it 
contains \{i — {-f}) vertices, and each vertex in V\ has two incoming edges from 
1728 but only one outgoing edge to 1728. This 3-to-l (resp. 2-to-l) discrepancy 
arises from the action of Aut(E) on the cyclic subgroups of E[£] when j(E) = 
(resp. 1728). Otherwise, V satisfies all the requirements of an I- volcano, and most 
of the algorithms we present in the next section are equally applicable to V. 



ISOGENY VOLCANOES 



9 



Example 9. Let p = 411751 and 1 = 3. The graph G 3 (F P ) has a total of 206254 
components, of which 205911 are ordinary and 343 are supersingular. The supersin- 
gular components all lie in the same isogeny class (which is connected in G3(F p 2)), 
while the ordinary components lie in 1283 distinct isogeny classes. 

Let us consider the isogeny class Ell t (F p ) for t = 52. We then have 4p = t 2 — v 2 D 
with v = 2 • 3 2 • 5 and D = -203. The subgraph G £tt (¥ p ) of G e (¥ p ) on Ell t (F p ) 
(also known as a cordillera [24]), consists of ten 3-volcanoes, all of which have depth 
d = u/{v) = 2. It contains a total 1008 vertices distributed as follows: 

• 648 vertices lie in six 3-volcanoes with [Ok ■ Co] = 10 and |Vb| = 12. 

• 216 vertices lie in two 3-volcanoes with [Ok ■ Co] = 5 and \Vq\ = 12. 

• 108 vertices lie in a 3- volcano with [Ok ■ Co] = 2 and \Vq\ = 12. 

• 36 vertices lie in a 3- volcano with [Ok ■ Co] = 1 and \Vq\ =4. 

For comparison: 

• G2,52(F P ) consists of 252 2-volcanoes of depth 1 with [Vq\ = 1. 

• G f 5 i 52(F p ) consists of 144 5-volcanoes of depth 1 with |Vb| = 1. 

• G7 i 52(F p ) consists of 504 7- volcanoes with two vertices and one edge. 

• Gn j 52(Fp) consists of 1008 11-volcanoes that are all isolated vertices. 

3. Applications 

We now consider several applications of isogeny volcanoes, starting with one that 
is very simple, but nevertheless instructive. 

3.1. Finding the floor. Let E/¥ q be an ordinary elliptic curve E/¥ q . Then j(E) 
lies in an ordinary component V of Gi(¥ q ). We wish to find a vertex on the floor 
of V, that is, a vertex v in level Vd, where d is the depth of V. Such vertices v are 
easily distinguished by their (out-) degree, which is the number of roots of &e(v, Y) 
that lie in ¥ q (counted with multiplicity). 

Proposition 10. Let v be a vertex in an ordinary component V of depth d in 
Ge(¥ q ). Either degv < 2 and v e Vd, or degv = i + 1 and v £ Vd- 

Proof. If d = then V = Vq = Vd is a regular graph of degree at most 2 and v € Vd- 
Otherwise, either v e Vd and v has degree 1, or v £ Vd and v has degree t + 1. □ 

We note that if j(E) is on the floor then E[£](¥ q ) is necessarily cyclic (otherwise 
there would be another level below the floor). This is useful, for example, when 
using the CM method to construct Edwards curves [25], and shows that every 
ordinary elliptic curve E/¥ q is isogenous to some E' /¥ q with E'(¥ q ) cyclic. 

Our strategy for finding the floor is simple: if v = j{E) is not already on the 
floor then we will construct a random path from vo to a vertex v s on the floor. By 
a path, we mean a sequence of vertices vq, v\, . . . , v s such that each pair (w,_i, Uj) 
is an edge and Vi ^ (so backtracking is prohibited). 

Algorithm FindFloor 

Given an ordinary vertex v e Gg(F q ), find a vertex on the floor of its component. 

1 . If deg v < 2 then output v and terminate. 

2. Pick a random neighbor v\ of vq and set s <— 1. 

3. While degw s > 1: pick a random neighbor v s+ i ^ v s -i of v s and increment s. 

4. Output v s . 



10 



ANDREW V. SUTHERLAND 



The complexity of FindFloor is given by the following proposition, in which 
M(n) denotes the time to multiply two n-bit integers. It is worth noting that for 
large I the complexity is dominated by the time to substitute v into &t(X, Y), not 
by root- finding (a fact that is occasionally overlooked). 

Proposition 11. . Given e F g [X, Y] ; each step of FindFloor can be ac- 
complished in 0(£ 2 M(n) + M(£n)n) expected time, where n = logq. The expected 
number of steps s is 5 + 0{1), where 6 is the distance from Vo to the floor. 

Proof. Computing <f>(Y) = $g(v,Y) involves 0(£ 2 ) F g -operations, or 0(£ 2 M(n)) bit 
operations. The neighbors of v are the distinct roots of 4>(Y) that lie in ¥ q , which 
are precisely the roots of f(Y) = gcd(Y" 9 — Y, <j>(Y)). Computing Y q mod <j> involves 
0(n) multiplications in the ring F 9 [F]/ (<j>), each of which can be accomplished using 
0(M(£n)) bit operations, via Kronecker substitution [37], yielding an 0(M(£n)n) 
bound. With the fast Euclidean algorithm the gcd of two polynomials of degree 
0(£) can be computed using 0(M(£n)\og£) bit operations. If log^ < n then this 
is bounded by 0(M(£n)n), and otherwise it is bounded by 0(£ 2 M(n)). Thus the 
total time to compute f(Y) for any particular v is 0(£ 2 M(n) + M(£n)n). 

The degree of f(Y) is the number of distinct roots of v) in ¥ q . For £ > 3, 
this is less than or equal to 2 if and only if v is on the floor. For £ < 3 we can count 
roots with multiplicity by taking gcds with derivatives of <p, within the same time 
bound. To find a random root of f(Y) we use the probabilistic splitting algorithm 
of [27]; since we need only one root, this takes 0(M(£n)n) expected time. 

For every vertex v in a level Vi above the floor, at least 1/3 of v's neighbors lie 
in in level Vi+i, thus within O(l) expected steps the path will be extended along 
a descending edge. Once this occurs, every subsequent edge in the path must be 
descending, since we are not allowed to backtrack along the single ascending edge, 
and will reach the floor within <5 + 0(1) steps. □ 

Remark 12 (Removing known roots). As a minor optimization, rather than 
picking v s+ i as a root of <fi(Y) — &e(v s , Y) in step 3 of the FindFloor algorithm, 
we may use 4>(Y) /{Y — u s _i) e , where e is the multiplicity of v s -\ as a root of 4>iY). 
This is slightly faster and eliminates the need to check that v s +\ ^ v s -\. 

The FindFloor algorithm finds a path of expected length S + 0(1) from v to 
the floor. With a bit more effort we can find a path of exactly length 5, using a 
simplified version of an algorithm from [14]. 

Algorithm FindShortestPathToFloor 

Given an ordinary vq € Ge(¥ q ), find a shortest path to the floor of its component. 

1. Let vq = j{E). If deguo < 2 then output wo and terminate. 

2. Pick three neighbors of vq and extend paths from each of these neighbors in 
parallel, stopping as soon as any of them reaches the floor. 2 

3. Output a path that reached the floor. 

The correctness of the algorithm follows from the fact that at most two of «o's 
neighbors do not lie along descending edges, so one of the three paths must begin 
with a descending edge. This path must then consist entirely of descending edges, 
yielding a shortest path to the floor. The algorithm takes at most 36 steps, each of 
which has complexity bounded as in Proposition 11. 



2 If vq does not have three distinct neighbors then just pick all of them. 



ISOGENY VOLCANOES 



11 



The main virtue of FindShortestPathToFloor is that it allows us to com- 
pute S, which tells us the level Vd-s of j{E) relative to the floor Vd- It effectively 
gives us an "altimeter" S(v) that we may be used to navigate V. We can determine 
whether a given edge (i>i, V2) is horizontal, ascending, or descending, by comparing 
S(vi) to S(v2), and we can determine the exact level of any vertex; see [32, §4.1] 
for algorithms and further details. We should also mention that an alternative ap- 
proach based on pairings has recently been developed by Ionica and Joux [17, 18], 
which is more efficient when d is large. 

3.2. Identifying supersingular curves. Both algorithms in the previous section 
assume that their input is the j-invariant of an ordinary elliptic curve. But what 
if this is not the case? If we attempt to "find the floor" on the supersingular 
component of G^(F p 2) we will never succeed, since every vertex has degree I + 1. 
On the other hand, from part (iv) of Theorem 7 (and Remark 8), we know that 
every ordinary component of Gi(¥ p 2) has depth less than log^ 2p, so we can bound 
the length of the shortest path to the floor from any ordinary vertex. 

This suggests that, with minor modifications, the algorithm FindShortest- 
PathToFloor can be used to determine whether a given elliptic curve E/¥ q is 
ordinary or supersingular. If j(E) £ ¥ p 2 then E must be ordinary, so we may 
assume vq — j(E) e ¥ p 2 (even if E is defined over F p , we want to work in F p 2). 
We modify step 2 of the algorithm so that if none of the three paths reaches the 
floor within log £ 2p steps, it reports that its input is supersingular and terminates. 
Otherwise, the algorithm succeeds and can report that its input is ordinary. This 
works for any prime £, but using 1 = 2 gives the best running time. 

This yields a Las Vegas algorithm to determine whether a given elliptic curve 
is ordinary or supersingular in 0(n 3 ) expected time, where n = log q. For com- 
parison, the best previously known Las Vegas algorithm has an expected running 
time of 0(n 4 ), and the best known deterministic algorithm runs in 0(n 5 ) time. 
Remarkably, the average time for a random input is only 0(n 2 ). This matches the 
complexity of the best known Monte Carlo algorithm for this problem, with better 
constant factors; see [34] for further details. 

3.3. Computing endomorphism rings. We now turn to a more difficult prob- 
lem: determining the endomorphism ring of an ordinary elliptic curve E/¥ q . We 
assume that the trace of Frobenius t = tr7i\E is known; this can be computed in 
polynomial time using Schoof 's algorithm [28] . By factoring 4q — t 2 , we can com- 
pute the positive integer v and fundamental discriminant D satisfying the norm 
equation 4q = t 2 — v 2 D. We then know that T,\ke\ has index v in the maximal 
order Ok, where K = Q(y/D). The order O ~ End(E) is uniquely determined by 
its index u in Ok , and u must be a divisor of v. Let us assume D < —4. 

We can determine u by determining the level of j(E) in its component of Gi(¥ q ) 
for each of the primes I dividing v. If v = i^ 1 ■ ■ ■ is the prime factorization of v, 
then u = tf 1 --- £%f, where Si = ei — di is the distance from j(E) to the floor of 
its ^-volcano. But it may not be practical to compute Si using FindShortest- 
PathToFloor when ii is large: its complexity is quasi-quadratic in £ i} which may 
be exponential in log q (and computing is even harder) . More generally, we do 
not know any algorithm for computing a vertical ^-isogeny whose complexity is not 
at least linear in I (in general, quadratic in tj. This would seem to imply that we 
cannot avoid a running time that is exponential in log q. 



12 



ANDREW V. SUTHERLAND 



However, as noted in Remark 5, computing horizontal isogenics is easier than 
computing vertical isogenics. We now sketch an approach to computing End(_E) 
that uses horizontal isogenies to handle large primes dividing v, based on the al- 
gorithm in [4]. To simplify the presentation, we assume that v is square-free; the 
generalization to arbitrary v is straight-forward. 

Let C be the lattice of orders in Ok that contain Z[tte}- Our strategy is to 
determine whether u is divisible by a given prime divisor £ of v using a smooth 
relation that holds in an order O € C if and only if O is maximal at I. This relation 
will hold in YraA(E) if and only if u is not divisible by £. 

A smooth relation R is a multiset {p^ 1 •••p^ 3 } in which the pi are invertible 
Z[7i\E]-ideals with prime norms pi occurring with multiplicity n, such that pi and 
ri satisfy bounds that are subexponential in log q. We say that R holds in O € C if 
the O-ideal Rq = (piO) ri ■ ■ ■ (p s O) r ° is principal. If O' C O, the existence of the 
norm-preserving homomorphism p: cl(O') — > cl(O) defined as in §2.10 implies that 
if R holds in O', then it holds in O. It thus suffices to find a relation that holds 
in the order of index v/l in Ok, but not in the order of index I in Ok- Under the 
GRH, for £ > 3 we can find such an R in probabilistic subexponential time [3] . 

To determine whether R holds in O ~ End(_E), we compute the CM action of 
[Ro] € cl(O) on j(E) e Ello(F g ). This involves walking n steps along the surface 
of a Pi-volcano for each of the pi appearing in R and then checking whether we wind 
up back at our starting point j(E). None of the Pi divide v, so these p»- volcanoes 
all have depth and consist of either a single edge or a cycle. We must choose a 
direction to walk along each cycle (one corresponds to the action of pi, the other 
to pi). There are methods to determine the correct choice, but in practice we can 
make s small enough so that it is easy to simply try every combination of choices 
and count how many work; see [4] for details. 

Under the GRH, this algorithm has a subexponential expected running time of 
£[1/2, V3/2] plus the cost of factoring 4q— t 2 (the latter is heuristically negligible, 
using the number field sieve, and provably bounded by £[1/2, 1] in [23]). Bisson [3] 
has recently improved this to £[1/2, \/2/2] plus the cost of factoring 4q — t 2 . 

Example 13. Let q — 2 320 + 261 and suppose that E/¥ q has Frobenius trace 

t = 2306414344576213633891236434392671392737040459558. 
Then 4q = t 2 - v 2 D, where D = -147759 and v = 2 2 pip 2 , with 

pi = 16447689059735824784039, 

p 2 = 71003976975490059472571. 

We can easily determine the level of j(E) in its 2-volcano by finding a shortest path 
to the floor. For p\ and p 2 we instead use smooth relations R\ and R 2 . 

Let 0\ be the order of index p\ in Ok, and 0[ the order of index vjp\ in Ok- 
The relation 

R\ = {p5, P?9j f>23°j P29, p31, plf" , Pl39, Pl49, Pl67, Pl91 , P25I ) P269, P~587i P643} 

holds in 0\ but not in 0[ (here pe denotes the ideal of norm £ corresponding to 
the reduced binary quadratic form £x 2 + bxy + cy 2 with b > 0). If we now let O2 
be the order of index p 2 in Ok and 0' 2 the order of index v/p 2 in Ok, then 

£^2 = {Pll,Pl3 ,p23>P41,p47,p83,Pl01,Pl97>P307>P317,p419,p91l} 

holds in 2 but not in 0' 2 . 



ISOGENY VOLCANOES 



13 



Including the time to compute the required modular polynomials and the time 
to find the relations R\ and R2, the total time to compute End(_E) in this example 
is less than half an hour. In contrast, it would be completely infeasible to directly 
compute a vertical isogeny of degree p\ or p 2 ; writing down even a single element 
of the kernel of such an isogeny would require more than 2 80 bits. 

3.4. Computing Hilbert class polynomials. Let O be an imaginary quadratic 
order with discriminant D. The Hilbert class polynomial Hr> is defined by 

h D {x)= n 

j€EU (C) 

Equivalcntly, Hd(X) is the minimal polynomial of the j-invariant of the lattice O 
over the field K = Q(V^D). Remarkably, its coefficients lie in Z. 

The field Kq = K(j(0)) is the ring class field of O. If q splits completely in Ko, 
then Hd(X) splits completely in F 9 [X] and its roots form the set Elle>(F 9 ). Each 
root is then the j-invariant of an elliptic curve E/¥ q with End(i^) ~ O. We must 
have #E(¥ q ) = q+l—t, where the norm equation 4q = t 2 —v 2 D uniquely determines 
the integers t and v up to sign, for D < —4. We can thus use a root of Hjy{X) 
in ¥ q to construct an elliptic curve E/F q with exactly q+l — t rational points, 
and by choosing q and D appropriately, we can achieve any desired cardinality for 
E(¥ q ). This is known as the CM method, which is commonly used in elliptic curve 
cryptography and elliptic curve primality proving. 

We now outline an algorithm to compute Hd(X) using the CRT approach de- 
scribed in [1, 32]. Under the GRH it runs in 0(|D|(log \D\) 5+ °W) expected time, 
which is quasi-linear in the 0(|-D| log \D\) size of Hrj(X). The same approach can 
be used to compute many other types of class polynomials; see [12]. 

Algorithm ComputeHilbertClassPolynomial 

Given an imaginary quadratic discriminant D, compute Hjj(X) as follows: 

1. Select a sufficiently large set of primes p that satisfy 4p = t 2 — v 2 D. 

2. For each prime p, compute Hjj(X) modp as follows: 

a. Generate random elliptic curves E/¥ p until #E(¥ P ) = p + 1 — t. 

b. Use volcano climbing to find E' isogenous to E with End(-E') ~ O. 

c. Enumerate Elle>(F p ) by applying the cl(C)-action to j(E'). 

d. Compute H D {X) = U je EUo(v P ) ( X - j) mod P- 

3. Use the CRT to recover Hd(X) over Z (or over ¥ q via the explicit CRT). 

Isogeny volcanoes play a key role in the efficient implementation of this algo- 
rithm, not only in step 2b, but also in step 2c, which is the most critical step and 
merits further discussion. Given any sequence of generators a\, . . . , for a finite 
abelian group G, if we let Gi = (ai, . . . , a,) and define = [Gj, Gj-i], then ev- 
ery element /3 of G can be uniquely represented in the form /3 = a^ 1 ■ ■ ■ at k , with 
< &i < Ti. This is a special case of a polycyclic presentation. We can use a poly- 
cyclic presentation of cl(O) to enumerate the torsor Elle>(F p ) by enumerating the 
list of exponent vectors (ei, . . . , e^) in reverse lexicographic order. At each step we 
apply the action of the generator ai that transforms the current exponent vector 
to the next in the list (usually i = 1, since ei varies most frequently). 

Using generators of the form ai = [U], where U is an invertible O-ideal of prime 
norm £», this amounts to walking along the surfaces of various I- volcanoes. To 
make this process as efficient as possible, it is crucial to minimize the primes 



14 



ANDREW V. SUTHERLAND 



This is achieved by choosing (i to minimize l\ and then minimizing each £j subject 
to [Ij] ^ ([d], . . . , [Ci-i]); this is called an optimal ■presentation [32, §5.1]. This will 
often cause us to use a set of generators that is larger than strictly necessary. 

As an example, for D = —79947 the class group cl(O) is cyclic of order 100, 
generated by the class of an ideal with norm 19. But the optimal presentation for 
cl(O) uses ideals [\ and I2 with norms 2 and 13, respectively. The classes of these 
ideals are not independent, we have [fe] 5 = [Ii] 18 , but they do form a polycyclic 
presentation with r\ = 20 and — 5. Using this presentation to enumerate 
Elle>(F p ) is more than 100 times faster than using any single generator of cl(O). 
One can construct examples where the optimal presentation is exponentially faster 
than any presentation that minimizes the number of generators; see [32, §5.3]. 

Enumerating Ello(F p ) using a polycyclic presentation involves walking along the 
surfaces of various ^-volcanoes, as in the previous section when testing relations. 
But using an optimal presentation will often mean that some of the primes ii 
divide v. This always happens, for example, when D = 1 mod 8, since in this 
case £i=2 divides v. Thus we must be prepared to walk along the surface of an 
^-volcano of nonzero depth. We now give a simple algorithm to do this. 

Algorithm WalkSurfacePath 

Given vo on the surface Vo of an £- volcano of depth d and a positive integer n < #Vq, 
return a path vo, . . . , v n in Vo- 

1. If v has a single neighbor v\, then return the path vq,v\. 
Otherwise, walk a path vo, . . . ,Vd and set i 4— 0. 

2. While dcgVi + d = 1: replace u;+i, . . . , i>j+<j by extending the path t>o, 
by d steps, starting from an unvisited neighbor v' i+1 of Vi. 

3. Extend the path v , . . . , v i+ d to v , . . . , v i+ d+i and increment i. 

4. If i = n then return vo,...,v n ; otherwise, go to step 2. 

Algorithm WalkSurfacePath requires us to know the depth d of the ^-volcano, 
which we may determine from the norm equation. It works by walking an arbitrary 
path to the floor and then backing up d steps to a vertex that must be on the 
surface (whenever we leave the surface we must descend to the floor in exactly d 
steps). When d or £ is large, this algorithm is not very inefficient and the pairing- 
based approach of [18] may be faster. But in the context of computing Hilbert class 
polynomials, both d and i are typically quite small. 

Remark 14 (Walking the surface with geds). An alternative approach to 
walking the surface using geds is given in [12]. Suppose we have already enumerated 
vo, ■ ■ ■ , v n along the surface of an t- volcano, and have also taken a single step from 
v to an adjacent vertex v' on the surface of an ^'-volcano. We can then compute 
a path v' , . . . ,v' n along the surface of the I- volcano containing v' by computing 
each v' i+1 as the unique root of f(Y) = gcd(^e(v' i ,Y),^£>(v i+ i,Yj). The vertex 
v' i+1 is guaranteed to be on the surface, and the root-finding operation is trivial, 
since f(Y) has degree 1. This approach is generally much faster than using cither 
WalkSurfacePath or the algorithm in [18], and in practice most of the vertices 
in Elle>(F p ) can be enumerated this way; see [12] for further details. 

Remark 15 (Space complexity). A key virtue of the CRT approach is that 
by using the explicit CRT [2, Thm. 3.2], it is possible to directly compute the 
coefficients of Hd(X) modulo an integer m (the characteristic of ¥ q , for example), 
without first computing the coefficients over Z. This means we can compute Hd(X) 



ISOGENY VOLCANOES 



15 



over W q with a space complexity that is quasi-linear in h(D)\ogq, which may be 
much smaller than \D\ log \D\. When h(D) is sufficiently composite (often the case), 
we can use a decomposition of the ring class field to find a root of Hjj(X) in ¥ q with 
a space complexity quasi-linear in h(D) 1 / 2 log 9; see [33]. The low space complexity 
of the CRT approach has greatly increased the range of feasible discriminants for 
the CM method: examples with \D\ « 10 16 can now be handled [33], whereas 
\D\ fa 10 10 was previously regarded as a practical upper limit [11]. 

3.5. Computing modular polynomials. All of the algorithms we have discussed 
depend on modular polynomials $i(X, Y); we even used them to define the graph of 
^-isogenics. We now outline an algorithm to compute using the CRT approach 
described in [6]. Under the GRH, it runs in 0(£ 3 (log£) 3+0 ^) expected time, which 
makes it the fastest method known for computing Y). 

Algorithm ComputeModularPolynomial 
Given an odd prime £, compute &t(X, Y) as follows: 

1. Pick an order O with h(0) > £ + 1 and let D = disc(O). 

2. Select a sufficiently large set of primes p that satisfy Ap = t 2 — £ 2 v 2 D, 
with £ \ v and p = 1 mod £. 

3. For each prime p, compute $>#(X, Y) modp as follows: 

a. Enumerate Elle>(F p ) starting from a root vq of Hd(X) mod p. 

b. Use Velu's algorithm to compute a descending ^-isogeny from vq to v' . 

c. Enumerate Elle>/(F p ) using v' Q as a starting point, where [O : O'] = £. 

d. Map the £- volcanoes that make up Elle>(F p ) U Ell<p/(F P ). 

e. Interpolate $i(X, Y) mod p. 

4. Use the CRT to recover &g(X, Y) over Z (or over F g via the explicit CRT). 

The restrictions on p ensure that each clement of Ello(F p ) lies on the surface of 
an £- volcano of depth 1 whose floor consists of elements of Ell e) (F p ). An example 
with £ = 5 and D = —151 is shown below. 





k yi 


\ ~A — ^ 


71 








~7l 







When we enumerate Elle>(F p ) in step 3a, we use a polycyclic presentation ol for 
cl(O) derived from prime ideals whose norms are all less than £ (for £ > 2 this 
is always possible). By expressing the class 7 of an invertible O-ideal of norm £ 
in terms of a, we can then determine all of the horizontal ^-isogenies between 
elements of Ello(F p ) without knowing In our example with D = —151, the 
presentation a consists of a single generator a corresponding to an ideal of norm 2, 
with 7 = a 3 . Thus our enumeration of Elle>(F p ) yields a cycle of 2-isogenies that 
we can convert to a cycle of 5-isogenies by simply picking out every third element. 

The application of Velu's algorithm in Step 3b involves picking a random point P 
of order £ and computing the £-isogeny ip with (P) as its kernel. This process is 
greatly facilitated by our choice of p, which ensures that P has coordinates in F p , 
rather than an extension field. We may find that tp is a horizontal £-isogeny, but 
we can easily detect this and try again with a different P. 



1(5 



ANDREW V. SUTHERLAND 



As in step 3a, when we enumerate Elle>'(F p ) in step 3c we use a polycyclic 
presentation f3 for cl(O') derived form prime ideals whose norms are all less than £. 
There are no horizontal f-isogenies between elements of Elle>'(F p ), but we need to 
connect each element of Elle>/(Fp) to its ^-isogenous parent in Ellei(Fp). This is 
done by identifying one child v' of each parent and then identifying that child's 
siblings, which are precisely the elements of Ell©/ (F p ) that are related to v' by a 
cyclic isogeny of degree £ 2 . By expressing the class 7' of an invertible O' ideal of 
norm £ 2 in terms of /3, we can identify the £ 2 -isogeny cycles of siblings in Elle>/(F p ); 
these are precisely the cosets of the homomorphism p: cl(O') — > cl(O) in §2.10. 

After identifying the horizontal isogenies among the vertices v in Elle>(F p ) and 
the children of each v, we can completely determine the subgraph of Ge(¥ p ) on 
Ello(Fp) u Ello'(Fp); this is what it means to "map" the I- volcanoes in step 3d. In 
our example with D = —151 there is just one t- volcano; the figure below depicts 
the result of mapping this I- volcano when p = 4451. 




In step 3e we compute, for each of £ + 2 vertices Vi g Ellei(Fp), the polynomial 
4>i{Y) = $e(vi,Y) = Ylj(y — Vij), where Vij ranges over the £ + 1 neighbors of Vi 
in Gi (F p ). We can then interpolate the coefficients of $e(X, Y) = J^i j CijX t Y : > as 
follows: if V'j(A^) is the unique polynomial of degree at most £ + 1 for which ipj(vi) 
is the coefficient of Y- 7 in <fii(Y), then c^- is the coefficient of X 1 in ipj(X). 

Remark 16 (Weber modular polynomials). This algorithm can compute mod- 
ular polynomials for many modular functions besides the j-function; see [6, §7]. 
This includes the Weber /-function that satisfies (/(z) 24 — 16) 3 = f(z) 24 j(z). The 
modular polynomials &g(X, Y) for f(z) are sparser than &e(X, Y) by a factor of 24, 
and have coefficients whose binary representation is smaller by a factor of approxi- 
mately 72. Thus the total size of $J is roughly 1728 times smaller than , and it 
can be computed nearly 1728 times faster. 

Remark 17 (Modular polynomials of composite level). A generalization of 
this approach that efficiently computes modular polynomials $ n (X, Y) for com- 
posite values of N can be found in [7]. 

Remark 18 (Evaluating modular polynomials). Most applications that use 
<&e (X, y), including all the algorithms we have considered here, only require the in- 
stantiated polynomial 4>(Y) = $e(j(E),Y). A space-efficient algorithm for directly 
computing (j){Y) without using $e(X, Y) appears elsewhere in this volume [31]. 

The isogeny volcano algorithm for computing <&e(X, Y) has substantially in- 
creased the feasible range of £: it is now possible to compute with £ w 10,000, 
and for we can handle £ ss 60, 000. It has also greatly reduced the time required 
for these computations, as may be seen in the tables of [6, §8]. 



ISOGENY VOLCANOES 



17 



4. Acknowledgements 
I am grateful to Gaetan Bisson for his feedback on an early draft of this article. 

References 

1. Juliana Bclding, Rcinicr Broker, Andreas Enge, and Kristin Lauter, Computing Hilbert class 
polynomials, Algorithmic Number Theory Symposium-ANTS VIII (A. J. van der Poorten and 
A. Stein, eds.), Lecture Notes in Computer Science, vol. 5011, Springer, 2008, pp. 282-295. 

2. Daniel J. Bernstein and Jonathan P. Sorenson, Modular exponentiation via the explicit Chi- 
nese Remainder Theorem, Mathematics of Computation 76 (2007), 443-454. 

3. Gaetan Bisson, Computing endomorphism rings of elliptic curves under the GRH, Journal of 
Mathematical Cryptology 5 (2011), 101-113. 

4. Gaetan Bisson and Andrew V. Sutherland, Computing the endomorphism ring of an ordinary 
elliptic curve over a finite field, Journal of Number Theory 113 (2011), 815—831. 

5. Reinier Broker, Denis Charles, and Kristin Lauter, Evaluating large degree isogenics and 
applications to pairing based cryptography, Pairing '08: Proceedings of the 2nd International 
Conference on Pairing-Based Cryptography, Lecture Notes in Computer Science, vol. 5209, 
Springer, 2008, pp. 100-112. 

6. Reinier Broker, Kristin Lauter, and Andrew V. Sutherland, Modular polynomials via isogeny 
volcanoes, Mathematics of Computation 81 (2012), 1201-1231. 

7. Jan Hendrik Bruinier, Ken Ono, and Andrew V. Sutherland, Class polynomials for nonholo- 
morphic modular functions, 2012, in preparation. 

8. Denis Charles, Eyal Goren, and Kristin Lauter, Cryptographic hash functions from expander 
graphs, Journal of Cryptology 22 (2008), 93-113. 

9. Andrew M. Childs, David Jao, and Vladimir Soukharcv, Constructing elliptic curve isogenics 
in quantum subexponential time, 2011, preprint http://arxiv.org/abs/1012.4019v2. 

10. David A. Cox, Primes of the form x + ny : Fermat, class field theory, and complex multi- 
plication, John Wiley and Sons, 1989. 

11. Andreas Enge, The complexity of class polynomial computation via floating point approxima- 
tions, Mathematics of Computation 78 (2009), 1089-1107. 

12. Andreas Enge and Andrew V. Sutherland, Class invariants for the CRT method, Algorithmic 
Number Theory Symposium-ANTS IX (G. Hanrot, F. Morain, and E. Thome, eds.), Lecture 
Notes in Computer Science, vol. 6197, Springer- Verlag, 2010, pp. 142-156. 

13. Mireille Fouquet, Anneau d'endomorphismes et cardinality des courbes elliptiques: aspects al- 
gorithmiques, PhD thesis, Ecole polytcchniquc, 2001, available at http://www.math. jussieu. 
f r/~f ouquet/Manuscrit .ps .gz. 

14. Mireille Fouquet and Francois Morain, Isogeny volcanoes and the SEA algorithm, Algorithmic 
Number Theory Symposium-ANTS V (C. Fieker and D. R. Kohel, eds.), Lecture Notes in 
Computer Science, vol. 2369, Springer, 2002, pp. 276-291. 

15. Steven D. Galbraith, Constructing isogenics between elliptic curves over finite fields, LMS 
Journal of Computation and Mathematics 2 (1999), 118-138. 

16. Steven D. Galbraith and Anton Stolbunov, Improved algorithm for the isogeny problems for 
ordinary elliptic curves, 2011, preprint, http://arxiv.org/abs/1105.6331. 

17. Sorina Ionica and Antoinc Joux, Pairing the volcano, Mathematics of Computation, posted 
on July 24, 2012, PII S 0025-5718(2012)02622-6 (to appear in print). 

18. , Pairing the volcano, Algorithmic Number Theory Symposium-ANTS IX (G. Hanrot, 

F. Morain, and E. Thome, eds.), Lecture Notes in Computer Science, vol. 6197, Springcr- 
Verlag, 2010, pp. 201-218. 

19. David Jao, Stephen D. Miller, and Ramarathnam Venkatesan, Do all elliptic curves of the 
same order have the same difficulty of discrete log?, Advances in Cryptology-ASIACRYPT 
2005, Lecture Notes in Computer Science, vol. 3788, Springer- Verlag, 2005, pp. 21-40. 

20. David Jao and Vladimir Soukharev, A subexponential algorithm for evaluating large de- 
gree isogenics, Algorithmic Number Theory Symposium-ANTS IX (G. Hanrot, F. Morain, 
and E. Thome, eds.), Lecture Notes in Computer Science, vol. 6197, Springer- Verlag, 2010, 
pp. 219-233. 

21. David Kohel, Endomorphism rings of elliptic curves over finite fields, PhD thesis, University 
of California at Berkeley, 1996. 



18 



ANDREW V. SUTHERLAND 



22. Serge Lang, Elliptic functions, second ed., Springer- Verlag, 1987. 

23. Hendrik W. Lenstra, Jr. and Carl Pomerance, A rigorous time bound for factoring integers, 
Journal of the American Mathematical Society 5 (1992), 483-516. 

24. J. Miret, D. Sadornil, J. Tena, R. Tomas, and M. Vails, Isogney Cordillera algorithm to obtain 
cryptographically good elliptic curves, Australasian Information Security Workshop: Privacy 
Enhancing Technologies (AISW), Conferences in Research and Practice in Information Tech- 
nology (CRPIT), vol. 68, 2007, pp. 127-131. 

25. Francois Morain, Edwards curves and CM curves, 2009, preprint, http://arxiv.org/abs/ 
0904.2243. 

26. Arnold K. Pizer, Ramanujan graphs and Hecke operators, Bulletin of the American Mathe- 
matical Society 23 (1990), 127-137. 

27. Michael Rabin, Probabilistic algorithms in finite fields, SIAM Journal of Computing 9 (1980), 
273-280. 

28. Rene Schoof, Elliptic curves over finite fields and the computation of square roots mod p, 
Mathematics of Computation 44 (1985), 483-294. 

29. Joseph H. Silverman, The arithmetic of elliptic curves, Springer, 1986. 

30. , Advanced topics in the arithmetic of elliptic curves, Springer, 1999. 

31. Andrew V. Sutherland, On the evaluation of modular polynomials, Algorithmic Number The- 
ory Symposium— ANTS X (E. Howe and K. Kedlaya, eds.), Mathematical Science Publishers, 
to appear, http://arxiv.org/abs/1202.3985. 

32. , Computing Hilbert class polynomials with the Chinese Remainder Theorem, Mathe- 
matics of Computation 80 (2011), 501-538. 

33. , Accelerating the CM method, LMS Journal of Computation and Mathematics (2012), 

to appear, http://arxiv.org/abs/1009.1082. 

34. , Identifying supersingular elliptic curves, LMS Journal of Computation and Mathe- 
matics (2012), to appear, http://arxiv.org/abs/1107.1140. 

35. John Tate, Endomorphisms of abelian varieties over finite fields, Inventiones Mathcmaticac 
2 (1966), 134-144. 

36. Jacques Velu, Isogenics entre courbes elliptiques, Comptes Rendus Hcbdomadaires des 
Seances de l'Academie des Sciences, Series A et B 273 (1971), 238-241. 

37. Joachim von zur Gathcn and Jiirgen Gerhard, Modern computer algebra, second ed., Cam- 
bridge University Press, 2003. 

Department of Mathematics, Massachusetts Institute of Technology, Cambridge, 
Massachusetts 02139 

E-mail address: drew@math.mit.edu 



